Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe
Resource
win7-20240215-en
General
-
Target
1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe
-
Size
2.6MB
-
MD5
622af327a5c66ca6d6d41bf02384b590
-
SHA1
2e09d3d9017aec9781b77144323eacb06e7838c4
-
SHA256
1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a
-
SHA512
6155abf3c3131a7bfd2a7be9f216ee3e65a3492e8d2de256e98db8569a79cdbab3de710e41fa803aab5f96876a3eaf6ec813bb7320bca36c45d8eded34f1ecb9
-
SSDEEP
49152:IBJgMDRANx3WB2aXuAoVNcqUhwMH9tM+EvhyJWXovJaDiSNESDgKZR8f:yn0VkZ0yF9tMhGwHuV5KZef
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/files/0x000a0000000224f7-10.dat family_zgrat_v1 behavioral2/memory/4992-12-0x0000000000BA0000-0x0000000000E64000-memory.dmp family_zgrat_v1 -
Detects executables packed with unregistered version of .NET Reactor 2 IoCs
resource yara_rule behavioral2/files/0x000a0000000224f7-10.dat INDICATOR_EXE_Packed_DotNetReactor behavioral2/memory/4992-12-0x0000000000BA0000-0x0000000000E64000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation hyperbrokerhostNetsvc.exe -
Executes dropped EXE 2 IoCs
pid Process 4992 hyperbrokerhostNetsvc.exe 2200 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Client\spoolsv.exe hyperbrokerhostNetsvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\spoolsv.exe hyperbrokerhostNetsvc.exe File created C:\Program Files\Microsoft Office\root\Client\f3b6ecef712a24 hyperbrokerhostNetsvc.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\dllhost.exe hyperbrokerhostNetsvc.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\hyperbrokerhostNetsvc.exe hyperbrokerhostNetsvc.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\b8bca7ac5230a7 hyperbrokerhostNetsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ShellExperiences\conhost.exe hyperbrokerhostNetsvc.exe File created C:\Windows\ShellExperiences\088424020bedd6 hyperbrokerhostNetsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings hyperbrokerhostNetsvc.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings 1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3320 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe 4992 hyperbrokerhostNetsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4992 hyperbrokerhostNetsvc.exe Token: SeDebugPrivilege 2200 spoolsv.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2828 wrote to memory of 3608 2828 1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe 91 PID 2828 wrote to memory of 3608 2828 1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe 91 PID 2828 wrote to memory of 3608 2828 1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe 91 PID 3608 wrote to memory of 1736 3608 WScript.exe 104 PID 3608 wrote to memory of 1736 3608 WScript.exe 104 PID 3608 wrote to memory of 1736 3608 WScript.exe 104 PID 1736 wrote to memory of 4992 1736 cmd.exe 106 PID 1736 wrote to memory of 4992 1736 cmd.exe 106 PID 4992 wrote to memory of 1660 4992 hyperbrokerhostNetsvc.exe 107 PID 4992 wrote to memory of 1660 4992 hyperbrokerhostNetsvc.exe 107 PID 1660 wrote to memory of 3076 1660 cmd.exe 109 PID 1660 wrote to memory of 3076 1660 cmd.exe 109 PID 1660 wrote to memory of 3320 1660 cmd.exe 110 PID 1660 wrote to memory of 3320 1660 cmd.exe 110 PID 1660 wrote to memory of 2200 1660 cmd.exe 113 PID 1660 wrote to memory of 2200 1660 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe"C:\Users\Admin\AppData\Local\Temp\1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortCommon\rjsrhuSUuh9cpi71VW4.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortCommon\nit1Mf9O4EmsELqVOc064rhxVFPSMSL237.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\PortCommon\hyperbrokerhostNetsvc.exe"C:\PortCommon/hyperbrokerhostNetsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZjZ0UfbLvd.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3076
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:3320
-
-
C:\Program Files\Microsoft Office\root\Client\spoolsv.exe"C:\Program Files\Microsoft Office\root\Client\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD523710df1e01cfc3fa04052ba9f873d98
SHA1d94a2da61571f7bb2f8a699cba385ab043c4b26b
SHA256aec8ca62dea4bc175b0f8aed5a38fda3e879657b9d1e8dea0cdca274c4d1f3d9
SHA512946409d67f3d4a5536fc7bc2267a1cc3a5b22334c92b635236282a9c348cc6321910e1052e8d70cc41b67d07bda422a6de01423c82c262061d60b3a3c7fcbf66
-
Filesize
91B
MD59e914413951f28ca613d66a082e6bdf5
SHA174c3592959853f6798a62cd735e120412d73445a
SHA2569d67c2b67e4babb2d62c1318bd530c1706a28c7ae662cdf584dd3da06ba8bb03
SHA512b2e17288b6a06c3ae138efcdf02b9bfc61f7416e109fe4459b9c39b682eed0a303564be7349e02af15bc2eec2c1ae6c1cb347dd7415de49627fed6bfdf7ae2e3
-
Filesize
223B
MD5cf90e55a446d37686cb2816d101b5bb7
SHA17385714bbdeea11d6a430803f05a59ccd7d7e5d9
SHA25638b60adc9820b53f1e37c5f17efd047e523a3f1b1c0486e5fd289d58b65bb5c2
SHA512aa74811a63a82d07faa38512d2fbf119cb4c0a35e10443372ffa153fde1ddcaf2781c9b11e8da9fda8becb138050587adfbc57e43e964df1fe4fb2caf86dc86f
-
Filesize
185B
MD5ff7f6014e552ba335e00e70fa0eb3df7
SHA10cfc22230e792702bcbc7bffe4056cd610765703
SHA256075444b60e8746d03c58ffafb609e4ab2bfdaa355879876774d2103d2e749c24
SHA512fef0ad330e01bc02b334b358846553e3d72dfe8ebf1a8fdaa0ae9a98ebb34a18dba16d7172f15484c06df0385c6ad6161456750a087f95b37cf73f22a27338d4